Jump to content

ESET blocking RDP on random clients


j-gray

Recommended Posts

The same EEA policies are applied to all Windows 11 workstations, all are running EEA 11.1.x. In this case, all are on the same subnet.

We have a select few where once EEA is installed, TCP port 3389 gets closed. Port scan with no EEA shows 3389 open and we can successfully RDP. As soon as EEA is installed, the port is no longer available and we cannot RDP.

Every other Windows 11 workstation except for two on the same subnet, same 11.1.x version and same policies, port 3389 is accessible.

I can't tell how/why EEA is closing the port.

Firewall is disabled, but IDS is enabled to allow Network Isolation functionality. Current policy is below:

image.png.650c1105a8e369f0637daff50e0d06c2.png

Link to comment
Share on other sites

Hi,

The same it's happening in the domain that I work in everyday. Those computers or virtual machines in which Windows 11 is being installed are inaccesible through Remote Desktop connections after installing Eset Endpoint Antivirus on them. On the client side of EEA, it can be seen those blocked RDP incoming connections under Setup --> Network --> "Resolve Blocked Communication" section. Sorry for not having a solution yet, I am trying to find one. I just wanted to inform that there are more cases with the same situation.

 

W11-TEST_ESET_2 - copia.png

Edited by Kaneda740
Add image
Link to comment
Share on other sites

  • Administrators

Is it really that no remote IP was logged? Is the IP address trusted? Asking since RDP connections are allowed only from the trusted zone and trusted networks by default.

Link to comment
Share on other sites

28 minutes ago, Kaneda740 said:

Hi,

The same it's happening in the domain that I work in everyday. Those computers or virtual machines in which Windows 11 is being installed are inaccesible through Remote Desktop connections after installing Eset Endpoint Antivirus on them. On the client side of EEA, it can be seen those blocked RDP incoming connections under Setup --> Network --> "Resolve Blocked Communication" section. Sorry for not having a solution yet, I am trying to find one. I just wanted to inform that there are more cases with the same situation.

Thanks for this info.

What's very puzzling to me is that we have at least 15 other Win11 workstations on that same subnet, all with the same ESET policies and same GPO's. ESET is blocking RDP only only two of those systems. All others show the TCP 3389 available/open.

Netstat shows they're listening on that port, but it's otherwise blocked as soon as we install ESET.

I can't figure out what's causing the inconsistencies.

Link to comment
Share on other sites

1 hour ago, Marcos said:

For troubleshooting purposes you could change this setting to "All networks" and see if it helps:

Yes, this opens TCP port 3389 again on those two devices.

I'm still confused as to why this was impacting only 2 of 12 devices on the same subnet.

Link to comment
Share on other sites

2 hours ago, j-gray said:

I'm still confused as to why this was impacting only 2 of 12 devices on the same subnet.

You will have to research why Eset does not consider the two Win 11 devices not part of the local (trusted) subnet.

Link to comment
Share on other sites

20 minutes ago, itman said:

You will have to research why Eset does not consider the two Win 11 devices not part of the local (trusted) subnet.

No idea how I might discern that. Those systems are all on the same /24 subnet. They are not multi-homed and have a standard, basic network config via DHCP.

Link to comment
Share on other sites

  • Administrators

Perhaps comparing ELC logs from a machine where RDP communication was allowed with those from one where it was blocked would reveal the cause. Please provide me with such 2 sets of logs for a check.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...